It’s Screen Time

It’s Screen Time

The development and standardization of mobile driver’s license technology promises a new era of security, privacy, safety and convenience

  |    |  

The smartphone of today is a remarkable and powerful device. As a primary gateway for online activity, the modern multi-tool’s utility derives in part from its mobility—nearly everyone has one in his or her pocket or purse. The ongoing efforts behind the development of a digital mobile driver’s license (mDL or DDL) are motivated by the global population’s reliance on these devices.

“In my 20+ years with AAMVA, I’ve never been more excited about something we’re doing as a community,” says Geoff Slagle, AAMVA director of identity management, about the development and standardization of mDL technology.

The Importance of Interoperability

AAMVA’s Joint mDL Working Group is finalizing a procurement guidance document and continues to work toward the first official technical guidance for the mDL. The initial guidance is for offline/attended use cases on smartphones as well as other devices such as tablets, laptops, and wearables. The working group also continues to monitor and promote opportunities

to study and pilot test the operational concepts for mDL.

Development of an mDL standard is being led by the International Organization for Standardization’s (ISO) JTC1/SC17/WG10. In April, 2018, the group met in Sunnyvale, Calif., to review and resolve comments on the first edition draft of the standard. Within the working group, Arjan Geluk, principal advisor with UL’s transaction security division, leads the task force specifically focused on mobile driver’s licenses. Geluk also serves as technical advisor to AAMVA’s Joint mDL Working Group.

“Over the past year, we’ve been working on using existing technology to get iOS and Android devices to communicate with each other, even when there is no internet connectivity,” Geluk says. “It is possible, we have made it work in a technical proof of concept in collaboration between AAMVA and RDW, the DMV of the Netherlands. And that’s an important gain.”

Interoperability between different devices and different systems is essential for mDL apps, as is functionality in an offline environment. Convenience and efficiency are among the many benefits mDLs offer, but those benefits can’t be fully attained unless mDLs are readable everywhere, regardless of device, or the app developer, or the jurisdiction the mDL is used in, or the country, for that matter.

“We need to think of a DDL [digital driver’s license] as more than just an app on a phone. It’s the application plus the ecosystem around it,” explains Suraj Sudhakaran, Gemalto solutions architect, Digital Identity for Americas. “Everything needs to be thought out—the needs of the DMV, the verifying party and the end user—and developed with the standards established by the ISO and AAMVA, because these are the organizations ensuring interoperability.”

Participants for the Joint mDL Working Group as well as WG10 include issuing authority representatives and technology industry providers who are important stakeholders. Though these companies are direct competitors in the mDL market, they have all come to the table as collaborators in recognition of the importance of a common interoperable standard upon which to build mDL apps.

“That’s AAMVA’s sweet spot,” Slagle says, “our ability to bring our members together around the interdependencies we have with each other, and figure out how to make something work.”

The number of companies currently working on mDL technology and the number of jurisdictions worldwide who recognize the potential of mDL motivates WG10 to work as quickly as possible to complete the first edition of the standard. Its publication is expected in late 2019.

Between now and then, industry providers will partner with more jurisdictions to pilot test mDL apps, gather feedback and refine, using the working draft of the standard.

MDL all
MDL age
Data minimization is a privacy feature of mDLs that many pilot users really like. An mDL app allows the user to select the type of transaction and minimizes the personal data displayed.

Security and Privacy

In addition to interoperability and offline capability, data security and privacy are of paramount importance in the development of mDLs.

“How do you protect the mDL holder’s data and what technologies are you using for that?” Geluk explains. “Are we going to rely on the security characteristics of Bluetooth or Wi-Fi? Or are we separating that out and doing more on the application layer?”

Security and privacy by design is the answer, says Geluk. “The way we standardize must enable protection of the license holder’s data.”

“Digital Driver’s Licenses provide multifactor authentication with something you have—your phone, something you know—your access pin, and something you are—your fingerprint or face ID,” Sudhakaran says.

The frequency, scope and scale of cyberattacks in recent years has brought online security to the forefront of many people’s concerns about their digital identities. Add to that unfolding revelations about harvesting of certain social media users’ data without their knowledge, and the threat level approaches existential proportions.

Identity theft and fraud are on the rise as well. According to the Insurance Information Institute’s 2017 Fraud Study, released by Javelin Strategy & Research, in the past six years, identity thieves have stolen over $107 billion from U.S. consumers.

Ensuring Trust

“The mDL allows for a significant leap forward in privacy,” Slagle says. Consider all the scenarios where people hand their license over to somebody. In so doing, they’re handing over their photo, their date of birth, their address. “The big question we’ve been asking for a long time is why? Why should they have to hand everything over when, if they’re just buying an age-restricted product, the only thing you need to know is that I’m really me and that I’m old enough for this transaction.”

“Mobile DLs put the users in control of their data—they decide what data they are going to share and with whom,” says Jeff Quarrington, Canadian Bank Note Director of Identification Solutions. “Data minimization allows the user to share only what needs to be shared to conduct the business transaction.”

The retail industry is excited about mDLs because the features that help fight fraud bring a great value to them, to have more confidence that the ID is authentic, says Rob Mikell, director of government mobile solutions for Idemia. “It’s pretty hard for anybody to know the driver’s licenses from all fifty states along with the security features that make them authentic. But when you can use an electronic or digital security feature on a smartphone, you can be sure that what you’re looking at is authentic.”

“It’s one thing to issue an mDL and provide benefits to the DMV and the end user, but it also needs to provide value and utility to the relying parties for them to adopt it,” Quarrington says.

Gemalto CO Lottery Claim Center DDL
At a lottery claims center, a Colorado pilot participant scans her digital driver’s license to purchase a lottery ticket.

Trust is the foundation for confidence. The mDL’s fundamental value is that it’s issued by the DMV, which has vetted the holder’s identity. “The mDL relies on the data that was electronically signed in a trusted environment, namely the system of record of an issuing authority,” Geluk explains. A digital signature binds the mDL holder’s information and privileges cryptographically on the mobile device. Using the issuing authority’s digital certificate, it can be verified any time, even in offline scenarios. And that mDL data is bound to the holder biometrically using the face image.

Compared to the traditional, physical credential of a plastic card that can be misplaced or lost, the personal information contained in an mDL resides behind layers of security on a digital device. If a physical driver’s license is lost, anyone who finds it instantly knows the holder’s full name, date of birth and address. If a phone containing an mDL is lost, anyone who finds it will first need to know or guess the passcode to unlock the device. Beyond this first layer of security, that person would then need to know or guess the separate passcode to open the mDL app itself. And in that time, the holder will have had the opportunity to contact the DMV or issuing authority to request deactivation of the mDL on that device to prevent accessibility.

The Mobility Ecosystem of the Future

The potential benefits mDLs offer are myriad and meaningful. But there is much work to do before those benefits can be fully realized and made available to the broader public.

“Until we take the time to test this functionality and learn from it, we’re not going to get to where we could already be by now,” says Delaware DMV Director Scott Vien, whose jurisdiction in March began a six-month mDL pilot test in partnership with Idemia.

“I’m glad we’re not the only ones testing this technology because it’s going to take a collective study to come up with something that will work not just in our jurisdiction but across all jurisdictions the same way the physical card is accepted everywhere today,” he says.

“Jurisdictions around the world are looking at the mDL as a catalyst for a virtual driver’s license that can be used online,” Quarrington says. Digital wallet apps already exist for credit cards. The mDL is a natural extension of this concept and could contain not only an mDL, but other licenses and permits as well, such as hunting and fishing licenses or firearms permits.

In the near future, mDLs will not be a replacement for physical cards, they will be offered as an additional convenience option when driver’s licenses are issued. But in the distant future, mDLs and the apps that manage them could become the secure electronic identification with which an individual interacts with a ubiquitous, trusted mobility ecosystem.

Imagine a future where an autonomous taxi can be reserved online for a lift to the airport and the door is unlocked by scanning an mDL to verify the rider’s identity? The implementation for such transactions and countless more are being envisioned, standardized, secured and tested today by technology companies in partnership with jurisdictions around the world.

Through the pioneering efforts of AAMVA members—issuing authorities, law enforcement officials and industry partners—working in close collaboration to develop interoperability standards and technological requirements, mobile driver’s licenses will soon be a practical and valuable part of everyone’s digital lives.


TEST PILOTS

How jurisdictions are implementing mDL technology

{tab title=”Delaware” class=”delaware”}

Scott Vien, Delaware DMV director

Industry partner:  Idemia

Testing period:  March through August 2018

Duration:  Six months

Number of mDL holder participants:  130

Number of relying party participants:  25

Testing scenarios: We approached relying parties in the business community with email blasts, we reached out over the phone, but we weren’t getting a lot of traction. So we started going door to door. Over the course of a few weeks, being able to show them an mDL prototype—how it works, how it could benefit their business—worked really well. We provided materials for their employees, for example, an informative poster so they could be aware of what an mDL is and know how to interact with it.

mDL holders and verifiers feedback: Anecdotally, the feedback has been great. I’ve used it myself four times now without any issues; all four times it was accepted. Checking into a hotel, filling a prescription, among a few other things. There’s been curiosity about it and a lot of excitement actually. One thing I used it for was to transfer data over from my old phone to a new phone at a cell phone store. They asked for my license, I pulled out my mDL, and they thought it was the greatest thing ever. They all pulled out their phones and said, “What’s the name of the app?” cause they wanted to download it. But, of course, it’s not available to the public yet at this point.

Refinements wishlist: An important comment from Delaware Alcohol and Tobacco enforcement was to include an expiration date, because they train all of their liquor providers to look at the expiration date, and if it’s expired, do not sell. That was valuable feedback, so for the next app update, we included the expiration date on the proof of age privacy screen.

Next steps: With regard to cost, there are varying schools of thought, ranging from a fixed price to a subscription fee to no cost. And frankly, we have a lot to gain from the mDL and the direct connection it offers to our customers for important notifications, such as an insurance lapse, online driver’s license renewals and so on. If we didn’t have to charge anything for this, adoption could be more widespread. That connection to the customer is important and potentially more valuable than any additional revenue.

{tab title=”Virginia” class=”virginia”}

Charles Sheldon, Virginia DMV director of digital services

Industry partner: Canadian Bank Note Company

Testing period: July through September 2016

Duration: Three months

Number of mDL holder participants: 252

Number of relying party participants: 15 (three breweries, five convenience stores, two restaurants and five liquor stores)

Testing scenarios: Across 15 retail partners, mDL was verified 1,143 times. Additionally, DMV in partnership with the Virginia State Police held an event to demonstrate the use of the technology in a potential traffic stop.

mDL holders and verifiers feedback: Security of personal information was noted as the mDL’s “most important” feature.

95% believe the mDL to be a secured credential.

75% of retail partners were overall somewhat or very satisfied with the mDL proof of concept.

Refinements wishlist: The team will be working to further improve the user experience, including refinements to the customer interface and removing unneeded steps. Making access as quick and smooth as possible will be critical to customer adoption.

Next steps: The key to mDL success comes down to two primary requirements: demonstrating the added value over traditional licenses and identification cards, and fostering a growing ecosystem. Tapping into a real-time network offers increased credential security and value to both citizens and businesses, but there has to be incentive to invest and grow this infrastructure. Virginia is continuing to explore and promote product development and business relationships, both public and private, to move the mDL from a proof-of-concept to a practical credential and information service.

{tab title=”Iowa” class=”iowa”}

Corey Lorenz, Director, Office of Motor Vehicle Support, IT Division

Industry partner: Idemia

Testing period: November 2015 through June 2016

Duration: Eight months

Number of mDL holder participants: 62

Number of relying party participants: Iowa tested with a handful of local convenience store chain in the Des Moines metro area. Testing was limited to exploring backwards compatibility with existing 2D barcode technology. Iowa also tested at DOT facilities with a dedicated mDL reader stations.

Refinements wishlist: Cross jurisdictional, cross platform interoperability, Android platform support

Next steps: Iowa is moving forward with a full production implementation of the mDL. Expected timeline for release is 2019.

{tab title=”Wyoming” class=”wyoming”}

Renee Krawiec, Senior Supervisor, Wyoming DOT Driver Services Program

Industry partner: Gemalto

Testing period: Phase I: September through November 2017; Phase II: Currently underway through September

Duration: Phase I–Three months; Phase II–Six months

Number of mDL holder participants: 60+

Testing scenarios: Highway patrol simulated roadside stops involving a 52-foot tractor trailer as well as a truck pulling a camper trailer, to test if the technology would work at that distance.

A local exam station held an open house where the public could come in and see what the mDL looked like and how it works in different scenarios. Several members of other state agencies interested in mDLs visited for this event.

A local airport held a simulation event for going through a security check.

mDL holders and verifiers feedback  Something people really like about the pilot test mDL app is that it randomizes the numbers on the touchscreen keypad for the pin to unlock the mDL. If someone got your phone and could use some digital tool to determine how you touched the screen to unlock, it’s not going to matter since it’s random each time.

Reception by the business community has been positive. They have confidence that the mDL is authentic because it gets scanned and their system verifies it. Also, the way the holder has to interact with it to access it, it provides a higher level of confidence that it’s valid.

Feedback from the general public has been, “Wow, is this available now?”

Refinements wishlist: Phase II of pilot testing will explore how to incorporate the digital driver’s license further into the ecosystem, for example, being able to renew a driver’s license on a website that would allow the mDL to prepopulate a form. Also, how can the mDL facilitate acquisition of hunting and fishing licenses where they are utilizing the same info? Or firearm permits?

Next steps: We have a digital driver’s license team with members from our IT department, driver’s services and highway patrol. We brainstorm ideas, review our participant’s feedback and convene with other agencies who have approached us wondering how mDLs will affect them.

{/tabs}


Related Articles

Building Inclusion and Equity

Agencies assess programs to improve their diversity, equity and inclusion efforts

Partners for the Journey

Jurisdictions find success working with third-party agents

It’s All In Hand

New technologies are helping DMV contact centers operate more efficiently and provide better quality service to customers